Out of the box Laravel authorizes users by matching email (default - can be overridden) and password.
Is it possible to authorize user using 3 fields, e.g:
email
password
group
... where 'group' is some additional field from 'users' database.
In other words, user can belong to group:1 and can login to group:1 resources only, but not to group:2 using his group:1 credentials.
If user belongs to group:1 and group:2, then he needs different credentials to login to either group.
Additionally, user can use same email for both groups. In such case it is group number that would act as additional identifier. And of course passwords would be different.
I am thinking setting a database multiple column index on fields 'id' and 'group' would be a good start, but I fail to grasp (yet), what would be required to make Laravel authorization process sensitive to 3 fields, instead of 2.
I would appreciate some pointers.
This sounds like you're trying to achieve a form of tenancy on data belonging to certain groups only. Have a look at this package:
https://github.com/HipsterJazzbo/Landlord
In essence, you would add a group_id field to the tables where you wish to restrict access and then using middleware, apply an additional where('group_id', Auth::user()->group_id) clause to any database queries. This works very well for retrieving subsets of data belonging to specific users by their role, for example.
Related
In my application the users are split in 2 macro categories: Customer and Backoffice, every category has a subset of role, for example MANAGER and USER for Customer type and different ones for the Backoffice type.
So a user could be a Customer with a MANAGER role or a Backoffice with, for example, a SALES role.
Every Spring + Cognito guide on web uses cognito:groups to map the Spring ROLE, but for my case I would need to nest groups which is not possible on Cognito.
I've been thinking to use 2 custom attributes ( writable only by the admin) to set the category and role of the user respectively.
My question is, is there any disadvantage to using attributes instead of the groups?
One major concern is, those custom attributes won't be available as claims in the access token. But groups are available. So If you plan to use acces_token you may have to consider that.
There are some other minor considerations that I can think of, which may or may not be related your implementation:
Maximum number of custom attributes per user pool is 50.
Once created, you can not edit the name, min/max length and mutable property of the custom attribute. Also we can not delete that.
Even though nested groups are not supported in Cognito, is it not an option to create groups like: category_role? example: Customer_ MANAGER?
Is it possible to have two different tables for users and admin but one login page? I already used middleware and Spatie permission, but I need them to separate because some info doesn't match if they are together in one table.
For example:
Admin needs name, employee number. At the same time, users need a name, address, student number, etc.
I need suggestions on how to do that to study it.
Supposed I have a database with 3 tables:
Customers
Orders
CustomerOrders
I build a WebAPI with standard auth using bearer token and I have a middleware to receive all necessary claims from the token, and I have a controller for basic CRUD operations for Orders.
for example:
DELETE - Orders/{id}
PUT - Orders/{id}
How can I make sure that the order that the user is trying to manipulate belongs to the current user?
Do I first need to query the database to make sure that the OrderId belongs to the current UserId before each operation? or is there an easier way to do it?
You can somehow manage to have the information if the user the token was issued for granted the client application to manipulate orders in general dependending on the options of your identity management and token provider.
But to make sure that this specific order belongs to the current user can only be checked in your backend and this needs of course to be done with every operation. The order id could be brute-forced (guessed) and manipulated in the request so therefore you need check this on each request.
I suggest though to extract this checking logic - does the passed order id belong to the user id provided in the token - to some service method to make it reusable from different places. In your case, for instance reuse it for the different CRUD methods such as DELETE and PUT.
Currently, our TestCo Okta is able to pass ‘testrole’ with one of a few different values, e.g. ‘admin’ or ‘user.’ If a user has multiple ‘testrole’ attributes (based on group membership) then Okta has a precedence order that determines which one ‘testrole’ value it will return.
We need to be able to handle passing a list of roles from IdP to Cognito to our API. For example, a string of ‘admin, user, readonly, section-admin’.
You can add a "groups" or "roles" claim that contains all the groups information. To do this, log in to your Okta developer account, then navigate to API > Authorization Servers, and click on the default server. Click the Claims tab and Add Claim. Name it groups (or roles), and include it in the ID Token. Set the value type to Groups and set the filter to be a Regex of .*. Click Create.
I plan to develop a system that has three two types (admin, users). I want to have each user types information stored in a separate table for easy access and to reduce the number of blank fields (if they were all in one table).
i need all users login in the same login form not separated form for each one of them